Public Pastes
Guest

WinDbg script

By: a guest on Jun 14th, 2010  |  syntax: C++  |  size: 1.11 KB  |  hits: 584  |  expires: Never
download  |  raw  |  embed  |  report abuse
Copied
  1. $$ bpep.wds - Entry point stopper [lhc645,2010] - WinDbg script
  2. .block
  3. {
  4. .catch
  5. {
  6.   $$ part I
  7.   $$ find entry point address (ldr)
  8.   r? $t0 = &@$peb->Ldr->InLoadOrderModuleList
  9.   r? $t1 = *(ntdll!_LDR_DATA_TABLE_ENTRY**)@$t0
  10.   r $t2 = @@c++(@$t1->EntryPoint)
  11.   .printf "Main module entry point 0x%I64X\n", @$t2
  12.   $$ set breakpoint on ep
  13.   bp @$t2
  14.   $$ part II
  15.   $$ set breakpoint on tls callbacks
  16.   r $t1 = @@c++(@$t1->DllBase)
  17.   .printf "Main module base 0x%I64X\n", @$t1
  18.   r? $t2 = (ntdll!_IMAGE_NT_HEADERS64*)(*(unsigned long *)(@$t1+0x3c)+@$t1)
  19.   .printf "PIMAGE_NT_HEADERS64: 0x%I64X\n", @$t2
  20.   r $t0 = @@c++(@$t2->OptionalHeader.DataDirectory[9].VirtualAddress)
  21.   .if (@$t0!=0)
  22.   {
  23.    r $t0 = @$t0 + @$t1
  24.    .printf "PIMAGE_TLS_DIRECTORY64: 0x%I64X\n", @$t0
  25.    $$ addressofcallbacks
  26.    r? $t0 = *(void**)(@$t0+0x18)
  27.    .printf "Address of callbacks %I64X\n",@$t0
  28.    r? $t2 = *(void**)@$t0
  29.    .while(@$t2!=0)
  30.    {
  31.      .printf "Callback %I64X\n",@$t2
  32.      bp @$t2
  33.          r $t0 = $t0+8
  34.          r? $t2 = *(void**)@$t0
  35.    }
  36.   }
  37.   .else
  38.   {
  39.     .printf "Tls directory is not found!\n"
  40.   }
  41.   $$ Go!
  42.   g
  43.  }
  44. }
create a new version of this paste RAW Paste Data